45 minutes ago, I was informed of a remotely exploitable
bug in RT 2.0’s password verification routine that can
allow remote users who have HTTP access to an RT
instance’s web interface to gain administrative
permissions. This bug affects ALL releases of RT 2.0
prior to 2.0.13.
RT 2.0.13, which resolves this issue, is immediately
Aside from the security fix, this release is identical to
If you can not immediately upgrade your RT instance, you
MUST execute the following SQL statement to protect your
RT instance from exploitation:
update Users set Password = ‘LOCK’ where Password is null;
This SQL statement does not need to be executed if you
upgrade to RT 2.0.13.
Jesse Vincent Best Practical Solutions, LLC
http://www.bestpractical.com/products/rt – Trouble Ticketing. Free.
rt-announce mailing list